[CentOS] network bound disk encryption bond interface not working

Wed Dec 15 20:17:28 UTC 2021
Natxo Asenjo <natxo.asenjo at gmail.com>

hi,

running 8.5 I cannot get to automatically unlock the luks container on a
dell poweredge 740.

This is the setup. The clevis client has bound a tang server:

# clevis luks list  -d /dev/sdb2
1: tang '{"url":"http://10.x.x.200"}'

This sdb2 is the boot device.

dracut config:

kernel_cmdline="bond=bond0:eno1,eno2:mode=4,miimon=100
ip=10.xx.x.1::10.xx.x.254:255.255.255.0::bond0:none  "
omit_dracutmodules+="ifcfg"

After a reboot, I see that the tang server receives a post from this ip,
and sends a 200 back:

16:45:02.247838 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
TCP (6), length 60)
    10.xx.x.200.80 > 10.xx.x.1.46374: Flags [S.], cksum 0x391b
(incorrect -> 0x0686), seq 2182485757, ack 3195393805, win 28960,
options [mss 1460,sackOK,TS val 329378980 ecr 3156670178,nop,wscale
7], length 0
16:45:02.248057 IP (tos 0x0, ttl 63, id 8950, offset 0, flags [DF],
proto TCP (6), length 52)
    10.xx.x.1.46374 > 10.xx.x.200.80: Flags [.], cksum 0xa58d
(correct), ack 1, win 229, options [nop,nop,TS val 3156670178 ecr
329378980], length 0
16:45:02.248191 IP (tos 0x0, ttl 63, id 8951, offset 0, flags [DF],
proto TCP (6), length 448)
    10.xx.xx.1.46374 > 10.xx.x.200.80: Flags [P.], cksum 0x134d
(correct), seq 1:397, ack 1, win 229, options [nop,nop,TS val
3156670178 ecr 329378980], length 396: HTTP, length: 396
        POST /rec/BMZ0nj7Ecn79Au8t24041JoChXk HTTP/1.1
        Host: 10.xx.x.200
        User-Agent: curl/7.61.1
        Accept: */*
        Content-Type: application/jwk+json
        Content-Length: 230

        {"alg":"ECMR","crv":"P-521","kty":"EC","x":"ARUMMnBG_wm8o3KuHk9qnEPbft1M7SMSlHkFHiSD0dDZSegvIZARe8U1V6lsaYZGSJ8mPBvI-NlUUc4yrdF3naaz","y":"ANQwwFFAEzl6UWiDrv37Pr8yTuWdwlDwq_QR0Q9TNP34_fsJAZ-y3oJv0uIoat6KLhPylWTjAY_jJIblOzWhQZpW"}
16:45:02.248215 IP (tos 0x0, ttl 64, id 58644, offset 0, flags [DF],
proto TCP (6), length 52)
    10.xxx.xx.200.80 > 10.xx.x.1.46374: Flags [.], cksum 0x3913
(incorrect -> 0xa3fb), ack 397, win 235, options [nop,nop,TS val
329378980 ecr 3156670178], length 0
16:45:02.282326 IP (tos 0x0, ttl 64, id 58645, offset 0, flags [DF],
proto TCP (6), length 69)
    10.xx.x.200.80 > 10.x.x.1.46374: Flags [P.], cksum 0x3924
(incorrect -> 0xe3fa), seq 1:18, ack 397, win 235, options [nop,nop,TS
val 329379014 ecr 3156670178], length 17: HTTP, length: 17
        HTTP/1.1 200 OK


So basically, it should unlock, but it's not unlocking.

Does anyone have experience with bond interfaces and nbde on 8/9?

TIA.

-- 
regards,
Natxo